package com.liang.lesson03;
import com.liang.lesson2.JdbcUntils;

import java.sql.*;

public class SqlZhuru {
    public static void main(String[] args) {
        login("zhangsan","123456");//正常登录
//        login("'' or 1=1","123456");//sql连接

    }
    //登录业务
    public static void login (String username,String password){
        Connection conn = null;
        PreparedStatement st = null;
        ResultSet rs = null;
        try {
            conn = JdbcUntils.getConnection();
            // PreparedStatement 防止SQL注入的本质，把传递进来的参数当作字符
            // 假设其中存在转义字符 则会被直接忽略，会被直接转义
            String sql = "select * from users where `NAME` = ? and `PASSWORD`=?";

            st = conn.prepareStatement(sql);
            st.setString(1,username);
            st.setString(2,password);

            rs = st.executeQuery();

            while(rs.next()){
                System.out.println(rs.getString("NAME"));
                System.out.println(rs.getString("PASSWORD"));
                System.out.println("========");
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }finally {
            JdbcUntils.release(conn,st,rs);
        }
    }
}
